Date: Tue, 12 Jun 2018 16:54:37 +0200 From: =?UTF-8?Q?Olivier_Cochard=2DLabb=C3=A9?= <olivier@freebsd.org> To: Patrick Lamaiziere <patfbsd@davenulle.org> Cc: freebsd-net@freebsd.org Subject: Re: 11.2-RC1 setkey invalid spi ? Message-ID: <CA%2Bq%2BTco%2BZ6E1r_rcQfVMzFuQtKHjpFE52Ub6ch9WDJHfBDEUFA@mail.gmail.com> In-Reply-To: <20180612160116.58df4001@mr185083> References: <20180612143447.697681c5@mr185083> <20180612160116.58df4001@mr185083>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jun 12, 2018 at 4:02 PM Patrick Lamaiziere <patfbsd@davenulle.org> wrote: > Le Tue, 12 Jun 2018 14:34:47 +0200, > Patrick Lamaiziere <patfbsd@davenulle.org> a =C3=A9crit : > > Hello > =E2=80=8BHi Patrick, =E2=80=8B > > Well I can reproduce this problem by using setkey(8) : > > /etc/ipsec.conf > add 129.20.128.78 129.20.128.149 tcp 0x1000 -A tcp-md5 "secret"; > add 129.20.128.149 129.20.128.78 tcp 0x1000 -A tcp-md5 "secret"; > > > =E2=80=8B You can't no more use the same SPI for these 2 entries (cf the TCP MD5 examples into the setkey man page): Use TCP MD5 between two numerically specified hosts: add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ; add 10.1.10.36 10.1.10.34 tcp 0x1001 -A tcp-md5 "TCP-MD5 BGP secret" ; =E2=80=8BRegards, Olivier=E2=80=8B
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2Bq%2BTco%2BZ6E1r_rcQfVMzFuQtKHjpFE52Ub6ch9WDJHfBDEUFA>